Dixons Stores Group has once again been caught potentially breaching the Data Protection Act 1998 (see Advisors passim). But the DPA, it transpires, is deeply flawed in favour of such action.
Once more unto the breach for the high street store
The Information Commissioner, who enforces the DPA, has also admitted that PC World, like other retailers, is not even legally obliged to report privacy breaches. PC World is owned by Dixons Stores Group. Nor is the Commissioner required to investigate complaints unless they come from victims of such behaviour.
But these people will probably never even know they are victims. PC Advisor reader Mr Patterson bought a replacement hard drive from his local branch of PC World only to discover it contained personal and business data belonging to someone else. After gathering irrefutable evidence that the hard drive had a previous owner, he contacted the Information Commissioner.
But the Information Commissioner wasn't interested. According to Section 42 of the DPA, the person whose data has been compromised has to report the incident.
As Mr Patterson's private data had not been disclosed in any way, the Information Commissioner would not initiate an investigation into the matter. Mr Patterson then decided to bring the matter to PC Advisor's attention.
Dixons Stores Group issued a statement about this matter to PC Advisor. "We are sorry to hear that a spare part has apparently been supplied without our mandatory reconditioning taking place," it said.
Myles Jelf of law firm Bristows told PC Advisor that this is not necessarily a loophole in the legislation, but a simple issue of making laws that can easily and effectively be applied.
"The act gives us the right to have a say in what happens to our information. Once you say that anyone can make a complaint, you open up a whole other can of worms," he said.
But Jelf agreed that the way the Act is written means that PC World doesn't have to report a privacy breach and the Commissioner need not listen to a complaint unless it's from a victim.
Elizabeth Dunn, compliance manager at the Information Commissioner, confirmed that under the terms of the Act only a complaint from the person who is directly affected by the disclosure of the information, or someone acting on their behalf, can trigger an investigation. She did, however, intimate that this is not an ideal rule to apply in every case. "It is something that we are looking at," she said.
When asked what a customer should do if they found someone else's data on any item they purchase, she recommended reporting the incident to the reseller, in this case the PC World store in Aintree, Liverpool.